ISMS Internal Auditor Course.ppt

transcript

COMS Vantage Committed to Systems

Internal ISMS Auditor Course

COMS 1

COMS Vantage Committed to Systems2

Learning ObjectivesTo be able to: Have knowledge of concepts of Information & Information Security

Management System

Understand the requirements of ISO 27001 : 2005 in auditing terms

Understand of Risk Assessment Methodology

Plan and conduct an IMS audit

Report the audit

Undertake audit follow-up activities

Course ContentDAY 1 Concepts and Philosophy of ISMS Framework ISO 27001:2005 Requirements Concepts and Principles of Auditing Audit Planning (Audit Schedule & Audit Checklist)

DAY 2 Audit Execution Audit Reporting (Identification of Non-conformances & Preparing

Non-conformance Report) Audit Closing (Verification of Corrective Actions) Examination

3Committed to Systems

Course Structure

Tutorial sessions

Practical exercises

Examination

Concepts and Philosophy of ISMS Framework

Exercise 1 : ISMS Definition

Complete Exercise 1 on definition of ISMS related terms

Information

is an asset which, like other business assets, has value to an organisation and consequently needs to be suitably

protected.

Types of Information

Internal Information that you would not want your

competitors to know

Customer/client Information that they would not wish you to divulge

Shared Information that may be shared with other trading

partners/persons

Types of Information

Company financial data (business performance) Company business plan & strategies Employee data Credit card and bank account numbers Passwords Designs, patents, technical research Bids for contracts, market research, competitive analysis Intelligence (on criminals, hostile nations, etc) Security information (risk assessment, network diagram,

facilities plans)

Information Lifecycle

Create Store Distribute (to authorized persons) Modify (by authorized persons) Archive Delete (electronic) or Dispose (paper, disk, etc)

Information may need protection through its entire lifecycle including deletion or disposal

Information Security

Information Security means preservation of confidentiality, integrity and availability of information; other properties, such as authenticity, accountability, non-repudiation, and

reliability may also be managed.

Information Security - a Definition

Information security is preservation of;

Confidentiality – ensuring that information is available only

to those with authorised access

Integrity – safeguarding the accuracy and completeness of

information and information processing methods & facilities

Availability – ensuring authorised users have access to

information when required

In some organizations integrity and/or availability maybe more important than confidentiality

Information Security – Why?

In today’s fast-paced, global business environment, access to information is critical to an organisation’s success. Timely, accurate and complete information is a necessary business asset to an organisation, and like any other business asset, information needs to be understood and appropriately secured.

Information Security Risks

Some categories of risk : Loss Corruption Theft Unauthorized disclosure Accidental disclosure Unauthorized modification Unavailability or denial of service Lack of integrity Intrusion and subversion of system resources

Non – IT Information Security Risks

Paper documents: on desks, in waste bins, left on photocopiers

Whiteboards and flipcharts Telephone conversations overheard Conversations on public transport Social engineering

Information Security - Aim

Information Security aims to : To minimize business damage by preventing and

minimizing the impact of security incidents Reduce the likelihood of a security incident occurring Prevent information security incident from occurring Detect an incident occurring, or its effect Respond to an event to minimize business damage Ensure Business Continuity Ensure preservation of confidentiality, integrity and

availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved

Business Effects of Information Security

Maintain stakeholder confidence in the organization

Preserve business position

Ensure business continuity

Why Are We Here?

Information security management: the key to confidence and trust for business

CustomerRequirements

BusinessRequirements

Government Laws and Regulations

Interested Parties

IT department Line managers Senior managers Company Boards Government Business and Trading Partners Customers

Managers Must Understand

Poor information security outcomes are commonly the

result of poor management and not poor technical

controls

Information Security is Not all about Technology

Business Service 3Business Service 3

IT DependentIT Dependent IT IndependentIT Independent

80%80% 20%20%

50% 50% 50%50%

20%20% 80%80% Business Service 3Business Service 3

IT DependentIT Dependent IT IndependentIT Independent

80%80% 20%20%

50% 50% 50%50%

20%20% 80%80%

(Source: Office of E-Government. (2002). PowerPoint presentation)

Information Security Management System

Information Security Management System (ISMS) is : That part of the overall management system, based on a

business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security

A management process

Not a technological process

What is an ISMS

An ISMS is a set of processes designed to produce

predictable information security outcomes (well managed

security risks)

Implementation must cover Requirements and policies Planning implementation Implementation and operations Monitoring and reviewing Improving the management system

Information Security Framework

(Source: Government of Western Australia: Department of Industry and Technology. (2002). Pamphlet - Managing Risks in the Internet Economy - An Executive’s Guide. p.5).

Benefits of an ISMS

An operational framework for operation

- Focus on outcomes

- Outcomes are predictable

Basis for stakeholder trust

- The general public

- Clients and customers

- Business partners, suppliers, service providers &

outsources

- Line management & senior management

ISO 27001:2005 Requirements

ISO/IEC 27001:2005

Information Technology – Security Techniques – Information Security Management Systems – Requirements

Requirements for establishing, implementing, operating,

monitoring, reviewing, maintaining and improving an ISMS

Information security is a Management process, more than just IT

ISO 27001 can be used for assessment and certification

ISO/IEC 27002:2005

Information Technology – Security Techniques – Code of practice for information security management

Provides guidance on good practice for Information Security Management Prime objectives A common basis for organisations Confidence in inter-organisational dealings

Defines a set of control objectives, controls and implementation guidance

It cannot be used for assessment and certification

PDCA model & ISMS Processes

InterestedParties

ManagedManagedInformationInformationSecuritySecurity

InterestedParties

InformationInformationsecuritysecurityrequirementsrequirementsandandexpectationsexpectations

Monitorandreviewthe ISMS

EstablishISMS

Implementandoperatethe ISMS

Maintainandimprovethe ISMS

ISO 27001:20050 Introduction1 Scope2 Normative references3 Terms & definitions

Clauses 4 to 8

Annex A Control objectives & controlsA.5 to A.15

Annex B OECD principlesAnnex C Correspondence between standards

Clauses within ISO 27001:2005

Plan - Do - Check - Act Cycle

PDCA model used in the ISO/IEC 27001: 2005

Process approach for Establish ISMS (Plan) Implement and operate ISMS (Do) Monitor and review ISMS (Check) Maintain and improve ISMS (Act)

ISO 27001:2005, Clauses 4 to 8 Clause 4 : Information Security Management System

Clause 5 : Management Responsibility

Clause 6 : Internal ISMS Audits

Clause 7 : Management Review of the ISMS

Clause 8 : ISMS Improvement

Annex A – Controls (A.5 to A.15)

Clause 4 - Information Security Management System

4.3DocumentationRequirements

4.2Establish &

Manage ISMS

4.1General

Requirements

4.2.1 Establish ISMS4.2.2 Implement & operate ISMS4.2.3 Monitor & review ISMS4.2.4 Maintain & improve ISMS

4.3.1 General4.3.2 Document control4.3.3 Record control

Clause 4.2.1 Establish the ISMS (Plan)

Scope and boundaries

Policy - objectives, business and legal or regulatory requirements, strategy, criteria, approved by management

Scope and Boundaries of ISMSScope to be described in terms of Characteristics of the business Organization Location Information Assets Technology

Boundaries to include interface with Other organisations Third party suppliers Partners Other IT systems

ISMS PolicyStatement of management commitment & set out organisation’s approach to managing information security Definition of information security, objectives & scope Statement of management intent, supporting goals & principles Include framework for setting control objectives & controls Brief explanation of security policies, principles and standards

Compliance with legislative, regulatory & contractual requirements

Security education, training & awareness requirements Business continuity management Consequences of information security policy violations

Definition of general & specific responsibilities References to documentation supporting policy Communicated throughout the organisation

Clause 4.2.1 Establish the ISMS (Plan) (cont)

Define the risk assessment approach of the organization Identify risks (assets and owners, threats, vulnerabilities,

impacts) Analyse and evaluate the risks Identify and evaluate options for treatment of risks Select control objectives & controls for the treatment of

risks (select from Annex A) Obtain management approval of proposed residual risks Obtain management authorization to implement and

operate the ISMS Prepare a Statement of Applicability

Identify a suitable risk assessment methodology Develop criteria for accepting risks and identify

acceptable levels of risk (5.1f) Ensure that risk assessments produce comparable and

reproducible results Method is decided by organization and audited against

its information security scope, boundaries and policy

Risk Assessment Approach

Risk Assessment

Risk (and decision on which risks to mitigate with

controls) depends on : Asset value Threat Vulnerability Likelihood and frequency of threat exploiting vulnerability Impact on organization of successful exploitation

Asset Identification & Classification

Identify: Assets within the scope of the ISMS (Primary Assets &

Supporting Assets)

- Documents /Data

- Physical/ Hardware

- Software

- People

- Services ( e.g. Lighting, Airconditioning, DG etc) Classification – V. Confidential, Confidential, Internal &

Public Asset owners & Users

Asset Value

Asset Value : Confidentiality X Integrity X Availability

Ranking of Assets done based on Asset Value : Low Medium High Critical

Identification of Threats and Vulnerabilities

Threat A potential cause of an

unwanted incident which may result in harm to a system or organization.

e.g. Network failure

Vulnerability A weakness of an asset or

group of assets, which can be exploited by a threat.

A vulnerability in itself does not cause harm, it is merely a condition or set of conditions that may allow a threat to affect an asset .

e.g. No system monitoring

Assessment of Threats and Vulnerabilities

Assess the likelihood that combination of threats and vulnerabilities occur

Threats and vulnerabilities may be assessed Separately Together

Security Risk – Calculations

Risk =

Asset Value x Threat Value x Vulnerability Value x Probability x Impact Value

*Impact Value is Impacts that losses of confidentiality, integrity or availability may have on the assets

Identify and Evaluate options for the Treatment of Risks

Manage and treat risks appropriately within business context :

Apply appropriate controls Accept risks Avoid risk Transfer risk

Exercise 2 : Information Risk Assessment

Complete Exercise 2 to test understanding of Information Risk Methodology.

Control Objectives and Controls(Annexure A of ISO 27001:2005)

11 Control Objectives

39 Sub-Control Objectives

133 Controls

Control Objectives & Controls (Annexure A of ISO 27001:2005 Standard)

A.5 Security PolicyA.5.1 Information Security Policy

A.6 Organization of Information SecurityA.6.1 Internal organizationA.6.2 External parties

A.7 Asset ManagementA.7.1 Responsibility for assetsA.7.2 Information classification

A.8 Human Resources Security A.8.1 Prior to employmentA.8.2 During employmentA.8.3 Termination or change of employment

Annexure A of ISO 27001:2005 Standard

A.9 Physical and Environmental SecurityA.9.1 Secure areasA.9.2 Equipment security

A.10 Communications and operations managementA.10.1 Operational procedures and responsibilitiesA.10.2 Third party service delivery management A.10.3 System planning and acceptanceA.10.4 Protection against malicious and mobile codeA.10.5 Back-upA.10.6 Network security managementA.10.7 Media handlingA.10.8 Exchange of informationA.10.9 Electronic commerce servicesA.10.10 Monitoring

A.11 Access ControlA.11.1 Business requirement for access controlA.11.2 User access managementA.11.3 User responsibilityA.11.4 Network access controlA.11.5 Operating system access controlA.11.6 Application and information access controlA.11.7 Mobile computing and teleworking

A.12 Information systems acquisition, Development and MaintenanceA.12.1 Security requirements of information systemsA.12.2 Correct processing in applications A.12.3 Cryptographic controlsA.12.4 Security of system filesA.12.5 Security in development and support processesA.12.6 Technical vulnerability management

A.13 Information Security Incident ManagementA.13.1 Reporting information security events and weaknessesA.13.2 Management of information security incidents and improvements

A.14 Business Continuity ManagementA.14.1 Information security aspects of business continuity management

A.15 ComplianceA.15.1 Compliance with legal requirements A.15.2 Compliance with security policies and standards, and technical complianceA.15.3 Information system audit considerations

Selection of Security Controls

Additional control objectives and controls organisation might consider that additional control objectives and

controls are necessary

Not all the controls will be relevant to every situation Consider local environmental or technological constraints In a form that suits every potential user in an organisation

Review controls already in place Remove Improve

Implement additional controls

Residual risk

The risk remaining after risk treatment Assess how much controls will reduce risk Reduced residual risk

Acceptable or unacceptable Implement more controls May have to accept Obtain Management Approval of proposed residual risk

Statement of ApplicabilityDefinitionDocumented statement describing the control objectives and controls that are relevant and applicable to the organisation’s ISMS.

Contents of Statement of Applicability Control objectives and controls selected Reasons for selection Control objectives and controls currently implemented Exclusion of any control objectives and controls to be listed in

Annex A and the justification for their exclusion

The statement of applicability provides a summary of decisions concerning risk treatment. Justifying exclusions provides a cross-check that no controls have been inadvertently omitted.

Statement of Applicability

Why a control has not been fully implemented Risk – not justified by risk exposure Budget – financial constraints Environment – influence on safeguards, climate, space etc Technology – some measures are not technically feasible Culture – sociological constraints Time – some requirements cannot be implemented now. N/A – not applicable Others – ?

Select Control Objectives and Controls for the Treatment of Risks

Select and implement Control Objectives and Controls To meet requirements identified by risk assessment and

risk treatment process

Take into account of criteria for accepting risks (4.2.1c)

Legal, regulatory and contractual requirements

Control objectives & controls selected from Annex A of ISO 27001:2005

Clause 4.2.2 Implement and operate the ISMS (Do)

Formulate and implement risk treatment plan Implement controls Training and awareness (Also covered in clause 5.2.2) Manage operations & resources Implement procedures

Clause 4.2.3 Monitor and review the ISMS (Check)

Execute monitoring and review procedures and other controls Undertake regular reviews of the effectiveness of the ISMS Measure effectiveness of controls Review risk assessments at planned intervals Review level of residual risk and identified acceptable risk Conduct Internal ISMS Audits at planned intervals (Clause 6) Undertake Management Review of the ISMS (Clause 7) Update security plans Record actions and events

Clause 4.2.4 Maintain and improve the ISMS (Act)

Also covered in Clause 8 Implement the identified improvements in the ISMS Appropriate corrective and preventive action Communicate actions and improvements Ensure improvements achieve their intended

objectives

Clause 5 - Management Responsibility

5.1 Management commitment Management shall provide evidence of commitment

5.2 Resource management 5.2.1 Provision of resources 5.2.2 Training awareness and competency

- employees, people (outside scope) interfacing

with company, customers, suppliers/ third party

service providers

Training and AwarenessTraining is to be provided for : Understanding and complying with the information security policy

and objectives Understanding security responsibilities What to do regarding:

Reporting security incidents, weaknesses Applying virus protection Doing backups Complying with relevant Local and International legislation Correct use of company equipment Correct use of e-mail and the internet and others

Monitoring of ISMS

Execute monitoring procedures and other controls: Promptly detect errors Promptly identify attempted and successful security

breaches and incidents Security activities delegated to people or implemented by

information technology are performing as expected Help detect security events

Prevent security incidents Determine whether actions taken to resolve a breach of

security were effective

Monitoring of ISMS Undertake regular reviews of effectiveness of ISMS

ISMS policy and objectives Security controls

Take into account Security audits Incidents Effective measurements Suggestions and feedback from interested parties

Measure the effectiveness of controls Verify security requirements are met

Clause 6 – Internal ISM Audits

Conduct internal audits at planned intervals

Audit programme planned taking into consideration the status and importance of processes to be audited as well as the result of previous audits

Responsibilities for audit planning, conducting and reporting is defined in procedure

Auditee is responsible for taking timely corrective action

Clause 7 - Management Review Undertake planned reviews of effectiveness of ISMS (atleast once a year) Review inputs

ISMS policy and objectives Audit results Suggestions and feedback from interested parties Threats and vulnerabilities not adequately addressed Result from effective measurements

Review outputs Improvement of effectiveness of ISMS Update Risk Assessment & Risk Treatment Plan Modification of procedures & controls Resource needs Improvements in measuring effectiveness of controls

Clause 8 – ISMS Improvements

Continual Improvement Corrective Action

Preventive Action

Exercise 3: Quiz on ISO 27001:2005

Complete the Quiz on ISO 27001 to test your understanding of the standard.

ISMS Documentation

COMS Vantage Committed to Systems04/17/23

Documentation Structure

Level - ILevel - I

Level - IILevel - II

Level - III Level - III

Level - IVLevel - IV

IMS MANUAL

(Apex Document)

STANDARD OPERATING PROCEDURE POLICIES

FORMATS,

Log-Books, Registers

Dep1Dep1 Dep2Dep2 Dep3Dep3 Dep4Dep4 Dep5Dep5 Dep6Dep6

CHECKLISTS, GUIDELINES ETC,

ISMS Documentation

The ISMS Documentation includes: Documented statements of a ISMS policy and ISMS

objectives Information Security Manual Information Security Risk Assessment Statement of Applicability Information Security Policies Procedures Formats/ Logs/ Records

Concepts & Principles of Auditing

Systematic, independent and documented

process for obtaining audit evidence and

evaluating it objectively to determine the

extent to which agreed criteria are fulfilled.

ISO 9000:2005

Objective Evidence

Data supporting the existence or verity of something – ISO 9000:2005

May be obtained through

- Records

- Observation

- Measurement or test

- Stated or verbal

Can be verified

Specified Requirements

Organization system requirements Manuals Policies & Procedures

ISO 27001 standard requirements

Legal requirements-statutory, regulatory or industry body

Audit Purpose

To collect objective evidence to permit an informed judgement about the status and effectiveness of the integrated management system.

COMS Vantage Committed to SystemsCOMS 76

Principles of Auditing

Ethical Conduct • Trust, integrity, confidentiality, discretion

Fair Presentation • Audit findings and conclusions are accurate and truthful

Due Professional Care

• Exercise care according to the confidence placed in them by their clients

• Competence is essential

Independence • Auditors are independent of the activities being audited and are free from bias or conflict of interest

• Conclusions will be objective and based only on audit evidence

Evidence-Based Approach

• Audit evidence is based on samples of information

• Conclusions are verifiable

CORPORADV MANAGEMENT SERVICES

Conformity vs. Compliance

Conformity:

• Fulfillment of a requirement

• Nonconformity can lead to suspension or revocation of registration

• Voluntary

Compliance:

• Fulfillment of legal/statutory requirements

• Noncompliance can lead to fines/incarceration

• Mandatory

Types of Audit

Internal External

1st Party

2nd Party

3rd Party

Audit one’s own company

Audit of a supplier by a customer

Audit by an Independentbody

Other Types of Audit

Pre-assessment Certification Surveillance Process Product

Reasons for Internal Audits

Requirement of all management system standards

Source of information for use by management

Powerful tool for continual improvement through: Employee involvement Communication Employee awareness, etc.

Benefits of Auditing

Verifies conformity to requirements Increases awareness and understanding Provides a measurement of effectiveness of the

system to management Reduces risk of system failure Identifies improvement opportunities Precipitates the corrective action cycle Precipitates the preventive action cycle

Key Stages in the Internal Auditing processPERC

Closing

Reporting

Execution

Planning

Audit Process - Overview

Audit Planning & Preparation

Audit Planning

Audit Schedule

Audit Checklist

Audit Schedule

Audit Schedule is based on : Frequency of audit (as mentioned in procedure) Processes/ area to be audited Duration of audit Qualified internal auditors Audit Team to have applicable technical expertise Independence of audit team (Cross functional

audit)

Audit Schedule-1

P = Planned A = Additional

Processes J F M A M J J A S O N D

Marketing P P

IT Technology P A

System Administration

HR A P

Administration P

Audit Schedule - 2Day 1Time Processes Auditors

1000 – 1300 Software Dev A & B

Real Estate Dev C & D

1400 - 1700 BPO E & F

Educational Portal G & H

Day 21000 – 1300 Executive Search I & J

IT K & L

1400 - 1700 HR M & N

Administration O & P

cc : To all Department Heads and Auditors

Checklists

Checklist or Aide Memoir s a systematic set of questions/ prompts about the auditee’s IMS system, which enable the auditor to maintain a consistent approach, and to ensure that no important points are missed.

A checklist should not be a list of questions to ask the

auditee. It is simply a “prompt” for aspects of the system

which require review

Checklists

Checklists may be :

Generic

Tailored

Checklists- Benefits

A well constructed aide memoir will help to:

Keep audit objectives clear Provide evidence of audit planning Maintain audit pace and continuity Reduce auditor bias Reduce workload during audit

Checklist Drawbacks

Checklists tend to lose value if they are:

Tick (√) lists Questionnaires Too focused Inflexible

Prepare them as aides-memoir

Checklists Preparation - Inputs

Company Policies and Procedures Process information Customer requirements Applicable legal requirements Codes of practice Management priorities Previous incidents and accidents Previous audits reports Known problems

Sample Checklist FormatProcess/Deptt: Auditee:

Auditor/s: Date:

S.No. Requirements Standard Clause No.

Objective Evidence

Exercise 4 : Audit Checklist

In your teams, prepare checklist for an ISMS audit.

Checklist may be prepared for your department.

Audit Execution

Audit System

Various roles of an auditor: A catalyst Management instrument An interface with

supplierscustomerscolleagues

A ‘consultant’ (NOT 3rd Party)

Some Attributes of a Good Auditor

Open minded

Diplomatic

Decisive

Perceptive

Observant

Tenacious

Self-reliant

Ethical

Any More?

Auditor Qualification

Auditors must be competent in –

Reasoning of nonconformities

Evaluating effectiveness of corrective action

Managing Communications

Put auditee at ease Ask questions and listen Have the appropriate body language Smile and show eye contact Avoid interruptions Avoid sarcastic & condescending remarks Give praise and feedback Acknowledge and show interest Be tactful and polite Show patience and understanding Thank the auditee on completing the audit

Personality Types

The Everything is Absolutely Fine

Stick to the Bare Facts

Detail, Detail, Detail

I Always Have the Right and Best Answer

Managing Communications

Effective communication

Questioning

Listening

Body Language

Resolving Differences

Types of conflict Dealing with conflict

Conduct of the Audit Meet the auditee

Explain what you want to see

Sampling audit

Investigate to the depth necessary

No problems found, move on

Don’t keep on auditing until problems are found

Sampling Why ?..............Reduces time and costs

Sample/ sample frame

Representative

Random

Chosen by the auditor

Permission sought

Audit Execution

The Audit Process

Gathering information

Validating the findings

Evaluating the findings

Procedure for Gathering Evidence

Question

ObserveCheck

Collecting & Verifying informationSources of information

Collecting by appropriate

sampling and verifying

Evaluating against audit

criteria

Reviewing

Audit conclusions

Audit Evidence

Audit Findings

Sources of Information

Interviews Documents (procedures, instructions, specifications, etc) Records Data Summaries (analysis and performance) Reports (customer feedback, supplier ratings) Databases Observations (of activities and conditions)

Conducting Interviews

Interviews are an important means of collecting information

and should be carried out in a manner adapted to the

situation and the person interviewed

May start with asking the auditee

to describe the work Avoid misleading questions Listen carefully & make notes Summarize the results of interview

& discuss with auditee

Questions

Open questions

- Encourage auditee to speak

Probing questions

Closed questions

Questions should be asked like a funnel – starting with open questions and ending with closed questions

Questioning Techniques Hypothetical

Obvious

Answered

Repetitive

Non-verbal

Open Questions

Six friends (To gather information) Who (does it) What (is done) Where (is it done) Why (is it done) When (does it get done) How (is it done; often is it done)

And seventh friend (For verification) Show me

7 Tips for Interviewing

Use appropriate types of question Adopt a logical approach Follow a natural sequence Actively listen to what is being said Use silence appropriately Seek clarification, where necessary Verify responses, where necessary

Documents Policy & Objectives Plans Policies and procedures / instructions Specifications/ drawings Contracts/ Orders Licenses/ permits

Review documents which describe activities, plans, controls,

Strategies and tests

Records

Records are evidence of an activity performed Test records Training records Performance monitoring records Audit Report Management Review – Minutes of Meetings Non-conformance records Customer Satisfaction records Vendor performance evaluation records

and ……………………………

Observations

Observations of : Activities being performed Housekeeping Condition of infrastructure and hardware Work environment

Control of the Audit Checklist is a servant not a master

Audit the complete scope

If potential audit trails appear, decide: disregard note for later follow up immediately

Might affect the sample size

Might affect the audit programme

Recording the objective evidence: Admissible statements (Quotes and statements) Document / Record numbers and issue/revision levels Identifiers (Product identification) Surroundings Name of auditee or preferably job titles Issues which may impact other functions

Mental Notes

Workload

Employee behaviour

Management approach

Organization culture

Reactions

Notes is an evidence of the professionalism of the auditor Evidence of sample size and observation Should be legible & retrievable Shall be an input to the audit report May be used for further investigation & subsequent audits

Verify Facts

Discuss concerns with auditee Auditee may provide correct information Record all the evidence in detail Establish why a nonconformity or otherwise & who

(preferably by job title) Audit focus must be on conformity and effectiveness, not

on finding nonconformities

Therefore, auditors must be competent in – Reasoning of nonconformities Evaluating effectiveness of corrective action

Good Practices Ask the right person - the person with the responsibility

for what it is you are auditing Don’t talk down or be rude/ sacarstic Ensure questions are clear and understood - avoid

jargon, use plain and simple language, rephrase the question if not understood.

Do not confuse, ask one question at a time. Allow time for auditee to answer any questions you ask Do not take sides, stay impartial, do not jump to

conclusions; always look for the evidence Be polite at all times, regardless of any provocation you

may encounter

Handling Difficult Situations

Time Wasting

Descrimination

Hostility

Avoidance

Finger - pointing

Undermining

Deception

Obstruction

Usurping Control

Flattery

Audit Reporting

Nonconformity

Non fulfilment of a requirement

Specified requirements: Company policies and procedures ISO 27001 standard requirements legal requirements

Nonconformity

The objective of internal audit is to assess the status of the System from the point of view of adequacy of documents (Intent), compliance and effectiveness.

Non conformities could arise out of two reasons:

- System deficiencies

- Human slip ups

Internal audits should be aimed at

identifying system deficiencies

Reporting Categories

Categories such as Non-conformance or Non-

compliance represent a “non-fulfilment of a specified

requirement”, and for many organisations are given the

highest priority when determining corrective actions.

A lower priority is often given to Observations or Areas

Requiring Attention. These findings are recognised as

being of lower risk to the organisation.

Minor Non-conformance

Violation or failure to meet a requirement of the standard

Any minor lapse in the system

Examples

- Training not planned for two employees from Customer

Care Department

- Background verification not done for x,y & z employee

prior to hiring

Major Non-conformity Complete absence or total breakdown of any clause of the

standard(s) Complete non-compliance of company policy or procedure Non-compliance of legislative requirement A number of nonconformities leading to system breakdown Examples

- Management Review has not been conducted since

more than a year.

- Information Security Policy not defined

Consider the Seriousness

Three questions to be answered

1. What could go wrong if the nonconformity remains uncorrected?

2. What is the likelihood of such a thing going wrong?

3. How likely is it to be detected if it did go wrong?

A nonconformity with moderate consequences but

High probability could be a Major

A nonconformity with serious consequences but

with negligible probability could be a Minor

Observation

Observation or Opportunity for Improvement (OFI)

is a situation where there is a weakness where there is

not enough evidence for a nonconformity/issue, but if

allowed to remain, could result in a nonconformity/issue

Exercise 5 : Identifying Non-conformances

10 statement were presented by an audit team.

Identify if there is a non-conformance. If yes, identify the

ISO 27001:2005 Clause / Control Objective Number .

If no, then state what further action should be taken by the

auditor

Writing Statements of Nonconformity

Use auditee’s terminology

Make it retrievable

Must be factual

Make it complete

Make it concise

Nonconformity Statement (1)

Procedure KCL-Pl-15 requires that access to server room is only to 2 System Administrators and the IT Head. If required others could access along with the 3 persons with authorised access and they were to enter in the Entry Log Register.

The auditor entered the server room with the System Administrator, however no entry was made in the Entry Log Register.

Nonconformity to Procedure KCL-15 and ISO 27001:2005 clause A.9.1.5

Nonconformity Statement (2)

Policy for Compliance states that that no software, unless provided by

corporate IT, must be loaded onto the network without the prior

permission of the IT manager

SW department were currently using a new data analysis tool which was sent to them direct from the developers after their agreement to take part in the testing of the new tool in return for a free copy of the finished product.

Nonconformity to Policy for Compliance and ISO 27001, Control 15.1

Ethos of Auditing

Positive approach

Aim to help improve system

Don’t look for blame

Aid identification of solutions

Audit Report

Date Process/Area of Audit Auditor(s) Auditee NCR Root cause Proposed Corrective Action Corrective Action taken Verification of effectiveness of corrective action Review

Reporting

After Audit Report is generated , Auditor Submits report to auditee Gets auditee to agree on nonconformance Agrees dates for corrective action Ensures that action is taken effectively

Exercise 6 : Nonconformance Report

Write the nonconformance report for any nonconformance in Exercise 5

Audit Closing

Conducting Audit Follow-up

The auditor is responsible for :

Identifying the nonconformance

Closing the nonconformance

Conducting Audit Follow-Up

At the conclusion of the follow up audit, the auditor must

make a conclusion as to the completion and effectiveness

of the previously proposed corrective actions :

Has the action been taken and has it been effective?

Has the action not been taken or is it incomplete?

Has the action been taken but is ineffective?

Follow-up ActionReceive NCR

Identify Root Cause

Corrective action plan prepared

Evaluates response

Implements plan

Evaluates effectiveness

Revises plan if necessary

Documents the changes

Verifies implementation & effectiveness

Auditee

Auditor

Auditee

Auditor

Exercise 7 : Corrective Action

Discuss in your teams corrective actions required for the non-conformances identified in Exercise 5.

Thank YouWorking Together For Better

Environment.